Pharmaceutical giant Merck’s won an appeal that might see it claim $1.4 billion from insurers due to the NotPetya ransomware attack. The decision hinged on the definition of war and it could also affect how insurance terms are defined in the future. Credit: Photon Photo/Shutterstock Pharmaceutical firm Merck recently won an appeal that could mean its insurers will have to pay up on a $1.4-billion judgment related to the NotPetya cyberattack in 2017. The New Jersey appellate division judges hearing the appeal judge noted that the plain definition of war applies to the various insurance policies and that a cyberattack against an accounting firm not engaged in hostilities, while criminal and based on ill-will, was not tantamount to an act of war.As detailed in the judges’ decision, many of the original defendants settled their portion of the insurance claim with Merck. In a separate yet parallel case involving multinational food and beverage company Mondelez International and Zurich American Insurance, a settlement was also reached, missing the opportunity to have a telling effect and adjustment on how cyber insurance will be treated going forward.Lloyd’s settlement gives clues about the future of cyber insuranceThis rejection of the appeal by the insurance companies and the actions taken in March 2023 by Lloyd’s of London give us some direction when it comes to understanding how cyber insurance will likely be handled in the future — which is that cybersecurity exclusions will be more clearly defined. An amici brief filed by the Insurance Law Scholars in the Lloyd’s case noted that the trial court’s decision should be affirmed because it was “supported by the drafting history of war exclusions” and the insurers “failed to use readily available insurance policy provisions that would have excluded or limited the coverage provided for cyber-related events.” On page 23 of the judges’ decision in the Merck case, the verbiage is more direct: “Coverage could only be excluded here if we stretched the meaning of ‘hostile’ to its outer limit in an attempt to apply it to a cyberattack on a noncombatant firm that provided accounting software updates to various non-combatant customers, all wholly outside the context of any armed conflict or military objective.” The judges noted that that approach would conflict with basic principles that require courts to narrowly construe an insurance policy exclusion. “The specific, plain, clear, and prominent meaning of, and the clear import and intent of, a word or phrase in an exclusion does not equate to its broadest possible interpretation, but rather its narrowest.” If this were a soccer match, it would appear the court is calling it an “own goal” by the insurer.Why is defining what counts as war important?The war exclusion was found to be not applicable, and the court used the insurer’s own words to detail the “why” behind the denial. When read by a layman such as me, it appears the judges believed the insurers had ample time to adjust their policy dynamics and didn’t get around to it. I reached out to Violet Sullivan, vice president of client engagement for Redpoint Cybersecurity and cybersecurity law adjunct professor at Baylor Law School, and asked for her perspective, given her background. She believes the ruling will most likely be appealed to the New Jersey Supreme Court. In addition, she noted that the insurer shouldered the burden of proof, and the court and appeal judges ruled that burden had not been met.War on the ground versus war in cyberspaceSullivan suggested that instead of this being a question of attribution and determining which foreign government the attack was tied to, the entire initial 2022 decision depends on an arbitrary differentiation between physical/kinetic or cyber warfare. It’s focused on the nature of the attack and what war meant in the policy and in legal precedent.That said, when a nation’s intelligence entities run covert operations, which Russia does on a regular basis, the goal of the government at hand is to always maintain plausible deniability any illegal acts. Could the NotPetya attack have been sponsored by the Russian Federation? Absolutely, and indeed, Kroll Cyber Security, the cyber consultant for the insurers, opined before the court “with high confidence” that the attack was “orchestrated by actors working for or on behalf of the Russian Federation.” Yet, one should note that when the US Department of Justice had the opportunity to pin the tail on that same donkey, they demurred.Thus, if a national government is not going to attribute nation-state sponsorship to an attack, then it will be most difficult for an insurance entity to successfully do so within the courts without explicit verbiage in the cybersecurity exclusions. Related content opinion The Assumed Breach conundrum Assumed Breach is the third but often overlooked principle of zero trust. When we talk about adopting a “not if, but when” attitude to security, are we merely paying lip service or do we really believe and internalise it? By Steven Sim Apr 23, 2024 4 mins Zero Trust Security news Authentication failure blamed for Change Healthcare ransomware attack Absence of multi-factor authentication reportedly left a remote access application exposed. By John Leyden Apr 23, 2024 5 mins Ransomware Cyberattacks news Russian state-sponsored hacker used GooseEgg malware to steal Windows credentials A now-patched Windows Print Spooler flaw was used by Forest Blizzard to drop the privilege-elevating malware for credential stealing and persistence. By Shweta Sharma Apr 23, 2024 3 mins Malware Windows Security feature Top 10 physical security considerations for CISOs Securing premises and devices from physical attacks can be just as challenging as defending against cyber threats. Collaboration and communication with all teams involved is the key to success. By Ericka Chickowski Apr 23, 2024 14 mins Critical Infrastructure Security Infrastructure Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe